review-article

Security&privacy issues and challenges in NoSQL databases

Authors:

Sabrina Sicari,

Alessandra Rizzardi,

Alberto Coen-PorisiniAuthors Info & Claims

Volume 206, Issue C

https://doi.org/10.1016/j.comnet.2022.108828

Published: 07 April 2022 Publication History

Abstract

Organizing the storing of information and data retrieval from databases is a crucial issue, which has become more critical with the spreading of cloud and Internet of Things (IoT) based applications. In fact, not only the network’s traffic has increased, but also the amount of memory and the mechanisms needed to manage the so-called Big Data efficiently. Relational databases, based on SQL, are giving way to the NoSQL ones due to their efficiency in managing the heterogeneous information gathered from IoT environments. Such data can be stored, in a distributed manner, within the IoT network’s devices or in the cloud. Hence, security and privacy concerns naturally emerge regarding access control, authentication, and authorization requirements. This paper analyzes the current state of the art of security and privacy solutions tailored to NoSQL databases, particularly Redis, Cassandra, MongoDB, and Neo4j stores. The paper also aims to shed light on current challenges and future research directions in the field databases’ security in the IoT scenario.

References

[1]

Kobusińska A., Leung C., Hsu C.-H., S. R., Chang V., Emerging trends, issues and challenges in internet of things, big data and cloud computing, Future Gener. Comput. Syst. 87 (2018) 416–419.

[2]

Gudivada V.N., Rao D., Raghavan V.V., Nosql systems for big data management, in: 2014 IEEE World Congress on Services, IEEE, 2014, pp. 190–197.

[3]

Cattell R., Scalable SQL and NoSQL data stores, Acm Sigmod Rec. 39 (4) (2011) 12–27.

[4]

Tewari A., Gupta B., Security, privacy and trust of different layers in internet-of-things (IoTs) framework, Future Gener. Comput. Syst. 108 (2020) 909–920.

[5]

Gessert F., Wingerath W., Friedrich S., Ritter N., Nosql database systems: a survey and decision guidance, Comput. Sci.-Res. Dev. 32 (3) (2017) 353–365.

[6]

Moniruzzaman A., Hossain S.A., Nosql database: New era of databases for big data analytics-classification, characteristics and comparison, Int. J. Database Theory Appl. 6 (4) (2013).

[7]

Davoudian A., Chen L., Liu M., A survey on NoSQL stores, ACM Comput. Surv. 51 (2) (2018) 1–43.

[8]

Sahafizadeh E., Nematbakhsh M.A., A survey on security issues in big data and nosql, Adv. Comput. Sci.: Int. J. 4 (4) (2015) 68–72.

[9]

Alotaibi A.A., Alotaibi R.M., Hamza N., Access control models in NoSQL databases: An overview, JKAU 8 (1) (2019) 1–9.

[10]

Zahid A., Masood R., Shibli M.A., Security of sharded NoSQL databases: A comparative analysis, in: 2014 Conference on Information Assurance and Cyber Security, CIACS, IEEE, 2014, pp. 1–8.

[11]

Zugaj W., Beichler A.S., Analysis of standard security features for selected NoSQL systems, Am. J. Inf. Sci. Technol. 3 (2) (2019) 41–49.

[12]

Rafique A., Van Landuyt D., Beni E.H., Lagaisse B., Joosen W., CryptDICE: Distributed data protection system for secure cloud data storage and computation, Inf. Syst. 96 (2021).

[13]

Liu S., Nguyen S., Ganhotra J., Rahman M.R., Gupta I., Meseguer J., Quantitative analysis of consistency in NoSQL key-value stores, in: International Conference on Quantitative Evaluation of Systems, Springer, 2015, pp. 228–243.

[14]

F. Bugiotti, L. Cabibbo, A Comparison of Data Models and APIs of NoSQL Datastores., in: SEBD, 2013, pp. 63–74.

[15]

Abadi D.J., Boncz P.A., Harizopoulos S., Column-oriented database systems, Proc. VLDB Endow. 2 (2) (2009) 1664–1665.

Digital Library

[16]

Lakshman A., Malik P., Cassandra: a decentralized structured storage system, Oper. Syst. Rev. 44 (2) (2010) 35–40.

Digital Library

[17]

Chebotko A., Kashlev A., Lu S., A big data modeling methodology for apache cassandra, in: 2015 IEEE International Congress on Big Data, IEEE, 2015, pp. 238–245.

[18]

H. Vera, W. Boaventura, M. Holanda, V. Guimaraes, F. Hondo, Data modeling for NoSQL document-oriented databases, in: CEUR Workshop Proceedings, Vol. 1478, 2015, pp. 129–135.

[19]

Chickerur S., Goudar A., Kinnerkar A., Comparison of relational database with document-oriented database (mongodb) for big data applications, in: 2015 8th International Conference on Advanced Software Engineering & Its Applicatio, ASEA, IEEE, 2015, pp. 41–47.

[20]

Edward S.G., Sabharwal N., Mongodb architecture, in: Practical MongoDB, Springer, 2015, pp. 95–157.

[21]

Celesti A., Fazio M., Villari M., A study on join operations in mongodb preserving collections data models for future internet applications, Fut. Internet 11 (4) (2019) 83.

[22]

P. Barceló Baeza, Querying graph databases, in: Proceedings of the 32nd ACM SIGMOD-SIGACT-SIGAI Symposium on Principles of Database Systems, 2013, pp. 175–188.

[23]

F. Holzschuher, R. Peinl, Performance of graph query languages: comparison of cypher, gremlin and native access in Neo4j, in: Proceedings of the Joint EDBT/ICDT 2013 Workshops, 2013, pp. 195–204.

[24]

J. Guia, V.G. Soares, J. Bernardino, Graph Databases: Neo4j Analysis, in: ICEIS (1), 2017, pp. 351–356.

[25]

Huang H., Dong Z., Research on architecture and query performance based on distributed graph database Neo4j, in: 2013 3rd International Conference on Consumer Electronics, Communications and Networks, IEEE, 2013, pp. 533–536.

[26]

Jouili S., Vansteenberghe V., An empirical comparison of graph databases, in: 2013 International Conference on Social Computing, IEEE, 2013, pp. 708–715.

[27]

J.J. Miller, Graph database applications and concepts with Neo4j, in: Proceedings of the Southern Association for Information Systems Conference, Vol. 2324, no. 36, Atlanta, GA, USA, 2013.

[28]

Sahatqija K., Ajdari J., Zenuni X., Raufi B., Ismaili F., Comparison between relational and NOSQL databases, in: 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO, IEEE, 2018, pp. 0216–0221.

[29]

Fatima H., Wasnik K., Comparison of SQL, NoSQL and newSQL databases for internet of things, in: 2016 IEEE Bombay Section Symposium, IBSS, IEEE, 2016, pp. 1–6.

[30]

Gu Y., Wang X., Shen S., Ji S., Wang J., Analysis of data replication mechanism in NoSQL database mongoDB, in: 2015 IEEE International Conference on Consumer Electronics-Taiwan, IEEE, 2015, pp. 66–67.

[31]

C. Xie, C. Su, M. Kapritsos, Y. Wang, N. Yaghmazadeh, L. Alvisi, P. Mahajan, Salt: Combining {ACID} and {BASE} in a Distributed Database, in: 11th {USENIX} Symposium on Operating Systems Design And Implementation, {OSDI} 14, 2014, pp. 495–509.

[32]

Abramova V., Bernardino J., Furtado P., Which nosql database? a performance overview, Open J. Databases (OJDB) 1 (2) (2014) 17–24.

[33]

Brewer E., Cap twelve years later: How the “rules” have changed, Computer 45 (2) (2012) 23–29.

Digital Library

[34]

Colombo P., Ferrari E., Fine-grained access control within nosql document-oriented datastores, Data Sci. Eng. 1 (3) (2016) 127–138.

[35]

Gupta N., Agrawal R., NoSQL security, in: Advances in Computers, Vol. 109, Elsevier, 2018, pp. 101–132.

[36]

Jaidi F., Advanced access control to information systems: Requirements, compliance and future directives, Secur. Comput. Commun. (2017) 83.

[37]

Colombo P., Ferrari E., Enhancing NoSQL datastores with fine-grained context-aware access control: A preliminary study on mongodb, Int. J. Cloud Comput. 6 (4) (2017) 292–305.

[38]

Colombo P., Ferrari E., Enhancing MongoDB with purpose-based access control, IEEE Trans. Dependable Secur. Comput. 14 (6) (2015) 591–604.

[39]

D. Kulkarni, A fine-grained access control model for key-value systems, in: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, 2013, pp. 161–164.

[40]

Shalabi Y., Gudes E., Cryptographically enforced role-based access control for nosql distributed databases, in: IFIP Annual Conference on Data and Applications Security and Privacy, Springer, 2017, pp. 3–19.

[41]

Morgado C., Baioco G.B., Basso T., Moraes R., A security model for access control in graph-oriented databases, in: 2018 IEEE International Conference on Software Quality, Reliability and Security, QRS, IEEE, 2018, pp. 135–142.

[42]

Khan H., Analysis of Role-Based Access Control Methods in nosql databases, (Ph.D. thesis) Middle Tennessee State University, 2019.

[43]

Son H.X., Chen E., Towards a fine-grained access control mechanism for privacy protection and policy conflict resolution, Int. J. Adv. Comput. Sci. Appl. 10 (2) (2019).

[44]

Zeng W., Yang Y., Luo B., Access control for big data using data content, in: 2013 IEEE International Conference on Big Data, IEEE, 2013, pp. 45–47.

[45]

Yang K., Jia X., Ren K., Secure and verifiable policy update outsourcing for big data access control in the cloud, IEEE Trans. Parallel Distrib. Syst. 26 (12) (2014) 3461–3470.

[46]

Adluru P., Datla S.S., Zhang X., Hadoop eco system for big data security and privacy, in: 2015 Long Island Systems, Applications and Technology, IEEE, 2015, pp. 1–6.

[47]

Mohamed A., Auer D., Hofer D., Küng J., Authorization policy extension for graph databases, in: International Conference on Future Data and Security Engineering, Springer, 2020, pp. 47–66.

[48]

Sicari S., Rizzardi A., Miorandi D., Coen-Porisini A., Dynamic policies in internet of things: enforcement and synchronization, IEEE Internet Things J. 4 (6) (2017) 2228–2238.

[49]

Westin A.F., Privacy and freedom, Wash. Lee Law Rev. 25 (1) (1968) 166.

[50]

Tamane S., Solanki V.K., Dey N., Privacy and Security Policies in Big Data, IGI Global, 2017.

[51]

Hu H., Xu J., Ren C., Choi B., Processing private queries over untrusted data cloud through privacy homomorphism, in: 2011 IEEE 27th International Conference on Data Engineering, IEEE, 2011, pp. 601–612.

[52]

Thi Q.N.T., Dang T.K., Van H.L., Son H.X., Using json to specify privacy preserving-enabled attribute-based access control policies, in: International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, Springer, 2017, pp. 561–570.

[53]

Ahmadian M., Plochan F., Roessler Z., Marinescu D.C., SecureNoSQL: An approach for secure search of encrypted NoSQL databases in the public cloud, Int. J. Inf. Manage. 37 (2) (2017) 63–74.

Digital Library

[54]

Z. Kacimi, L. Benhlima, XACML policies into mongoDB for privacy access control, in: Proceedings of the Mediterranean Symposium on Smart City Application, 2017, pp. 1–5.

[55]

Diez F.P., Vasu A.C., Touceda D.S., Cámara J.M.S., Modeling xacml security policies using graph databases, IT Prof. 19 (6) (2017) 52–57.

[56]

Kudo T., Fog computing with distributed database, in: 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications, AINA, IEEE, 2018, pp. 623–630.

[57]

R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, Order preserving encryption for numeric data, in: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, 2004, pp. 563–574.

[58]

Hacıgümüş H., Iyer B., Mehrotra S., Efficient execution of aggregation queries over encrypted relational databases, in: International Conference on Database Systems for Advanced Applications, Springer, 2004, pp. 125–136.

[59]

Mykletun E., Tsudik G., Aggregation queries in the database-as-a-service model, in: IFIP Annual Conference on Data and Applications Security and Privacy, Springer, 2006, pp. 89–103.

[60]

Mousa A., Nigm E., El-Rabaie E.-S., Faragallah O.S., Query processing performance on encrypted databases by using the REA algorithm, IJ Netw. Secur. 14 (5) (2012) 280–288.

[61]

Chen L., Zhang N., Sun H.-M., Chang C.-C., Yu S., Choo K.-K.R., Secure search for encrypted personal health records from big data NoSQL databases in cloud, Computing 102 (6) (2020) 1521–1545.

[62]

M.U. Arshad, A. Kundu, E. Bertino, K. Madhavan, A. Ghafoor, Security of graph data: hashing schemes and definitions, in: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, 2014, pp. 223–234.

[63]

Weintraub G., Gudes E., Data integrity verification in column-oriented nosql databases, in: IFIP Annual Conference on Data and Applications Security and Privacy, Springer, 2018, pp. 165–181.

[64]

Weintraub G., Gudes E., Crowdsourced data integrity verification for key-value stores in the cloud, in: 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID, IEEE, 2017, pp. 498–503.

[65]

Devanbu P., Gertz M., Martel C., Stubblebine S.G., Authentic data publication over the internet 1, J. Comput. Secur. 11 (3) (2003) 291–314.

[66]

Kalpana P., Singaraju S., Data security in cloud computing using RSA algorithm, Int. J. Res. Comput. Commun. Technol., IJRCCT, ISSN (2012) 2278–5841.

[67]

Amghar S., Cherdal S., Mouline S., Which NoSQL database for IoT applications?, in: 2018 International Conference on Selected Topics in Mobile and Wireless Networking, Mownet, IEEE, 2018, pp. 131–137.

[68]

Sicari S., Rizzardi A., Miorandi D., Cappiello C., Coen-Porisini A., Security policy enforcement for networked smart objects, Comput. Netw. 108 (2016) 133–147.

Digital Library

[69]

Zaki A.K., Indiramma M., A novel redis security extension for NoSQL database using authentication and encryption, in: 2015 IEEE International Conference on Electrical, Computer and Communication Technologies, ICECCT, IEEE, 2015, pp. 1–6.

[70]

Mishra V., Cassandra data security, in: Beginning Apache Cassandra Development, Springer, 2014, pp. 61–78.

[71]

Waage T., Jhajj R.S., Wiese L., Searchable encryption in apache cassandra, in: International Symposium on Foundations and Practice of Security, Springer, 2015, pp. 286–293.

[72]

Golhar A., Janvir S., Chopade R., Pachghare V., Tamper detection in cassandra and redis database—A comparative, in: Proceeding of International Conference on Computational Science and Applications, ICCSA 2019, Springer Nature, 2020, p. 99.

[73]

Sathyadevan S., Muraleedharan N., Rajan S.P., Enhancement of data level security in mongoDB, in: Intelligent Distributed Computing, Springer, 2015, pp. 199–212.

[74]

M. Mathur, A. Kesarwani, Comparison between Des, 3des, Rc2, Rc6, Blowfish and Aes, in: Proceedings of National Conference on New Horizons in IT-NCNHIT, Vol. 3, 2013, pp. 143–148.

[75]

P. Aggarwal, R. Rani, Security issues and user authentication in MongoDB, in: Elsevier Second International Conference on Emerging Research in Computing …, 2014.

[76]

Colombo P., Ferrari E., Evaluating the effects of access control policies within NoSQL systems, Future Gener. Comput. Syst. 114 (2021) 491–505.

[77]

E. Gupta, S. Sural, J. Vaidya, V. Atluri, Attribute-Based Access Control for NoSQL Databases, in: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, 2021, pp. 317–319.

[78]

Xu G., Ren Y., Li H., Liu D., Dai Y., Yang K., CryptMDB: A practical encrypted mongoDB over big data, in: 2017 IEEE International Conference on Communications, ICC, IEEE, 2017, pp. 1–6.

[79]

Sicari S., Rizzardi A., Miorandi D., Coen-Porisini A., Security towards the edge: Sticky policy enforcement for networked smart objects, Inf. Syst. 71 (2017) 78–89.

[80]

Wahane A., Jin Y., A graph database approach for XACML role-based access control implementation, 2018, SEDE.

[81]

Usman M., Ahmed I., Aslam M.I., Khan S., Shah U.A., Sit: a lightweight encryption algorithm for secure internet of things, Int. J. Adv. Comput. Sci. Appl. 8 (1) (2017).

[82]

Sultan I., Mir B.J., Banday M.T., Analysis and optimization of advanced encryption standard for the internet of things, in: 2020 7th International Conference on Signal Processing and Integrated Networks, SPIN, IEEE, 2020, pp. 571–575.

[83]

Miao Y., Ma J., Liu X., Weng J., Li H., Li H., Lightweight fine-grained search over encrypted data in fog computing, IEEE Trans. Serv. Comput. 12 (5) (2018) 772–785.

[84]

Meng F., Cheng M.L., Wang M., Voulgaris P., Wee H., ABDKS: attribute-based encryption with dynamic keyword search in fog computing, Front. Comput. Sci. (2020).

[85]

Namasudra S., An improved attribute-based encryption technique towards the data security in cloud computing, Concurr. Comput.: Pract. Exp. 31 (3) (2019).

[86]

Ali M., Sadeghi M.-R., Liu X., Lightweight revocable hierarchical attribute-based encryption for internet of things, IEEE Access 8 (2020) 23951–23964.

[87]

Blaze M., Feigenbaum J., Ioannidis J., Keromytis A.D., The role of trust management in distributed systems security, in: Secure Internet Programming, Springer, 1999, pp. 185–210.

[88]

Liu L., Huang Q., A framework for database auditing, in: 2009 Fourth International Conference on Computer Sciences and Convergence Information Technology, IEEE, 2009, pp. 982–986.

[89]

Bach M., Werner A., Standardization of NoSQL database languages, in: International Conference: Beyond Databases, Architectures and Structures, Springer, 2014, pp. 50–60.

Cited By

Pantelelis MKalloniatis C(2024)Create, Read, Update, Delete: Implications on Security and Privacy Principles regarding GDPRProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670898(1-7)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670898

Index Terms

Security&privacy issues and challenges in NoSQL databases
1. Social and professional topics
2. Theory of computation

Index terms have been assigned to the content through auto-classification.

Recommendations

Attribute-Based Access Control for NoSQL Databases
CODASPY '21: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy

NoSQL databases are gaining popularity in recent times for their ability to manage high volumes of unstructured data efficiently. This necessitates such databases to have strict data security mechanisms. Attribute-Based Access Control (ABAC) has been ...
Security Issues in NoSQL Databases
TRUSTCOM '11: Proceedings of the 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications

applications has created the need to store large amount of data in distributed databases that provide high availability and scalability. In recent years, a growing number of companies have adopted various types of non-relational databases, commonly ...
NoSQL databases: MongoDB vs cassandra
C3S2E '13: Proceedings of the International C* Conference on Computer Science and Software Engineering

In the past, relational databases were used in a large scope of applications due to their rich set of features, query capabilities and transaction management. However, they are not able to store and process big data effectively and are not very ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computer Networks: The International Journal of Computer and Telecommunications Networking

Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 206, Issue C

Apr 2022

341 pages

ISSN:1389-1286

Issue’s Table of Contents

Elsevier B.V.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 07 April 2022

Author Tags

Qualifiers

Review-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pantelelis MKalloniatis C(2024)Create, Read, Update, Delete: Implications on Security and Privacy Principles regarding GDPRProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670898(1-7)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670898

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents